gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gix-path can be tricked into running another git.exe placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While gix-path first looks for git using a PATH search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories. Existing functions, as well as the newly introduced exe_invocation function, were updated to make use of these alternative locations. This causes facilities in gix_path::env to directly execute git.exe in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it. Although unusual setups where the system drive is not C:, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no C:\Program Files (x86) directory. A limited user on a 32-bit Windows system can therefore create the C:\Program Files (x86) directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that uses gix-path and do not have git in a PATH directory. (While having git found in a PATH search prevents exploitation, merely having it installed in the default location under the real C:\Program Files directory does not. This is because the first hard-coded path’s mingw64 component assumes a 64-bit installation.). Only Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user account on the system, though it may be a relatively unprivileged account. Such a user can perform privilege escalation and execute code as another user, though it may be difficult to do so reliably because the targeted user account must run an application or service that uses gix-path and must not have git in its PATH. The main exploitable configuration is one where Git for Windows has been installed but not added to PATH. This is one of the options in its installer, though not the default option. Alternatively, an affected program that sanitizes its PATH to remove seemingly nonessential directories could allow exploitation. But for the most part, if the target user has configured a PATH in which the real git.exe can be found, then this cannot be exploited. This issue has been addressed in release version 0.10.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability.